SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 82

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 83

changes.mady.by.user Gina DeCola

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
Many programs and libraries, including the shared library loader on both UNIX and Windows systems, depend on environment variable settings. Because environment variables are inherited from the parent process when a program is executed, an attacker can easily sabotage variables, causing a program to behave in an unexpected and insecure manner \[[Viega 03|AA. C References#Viega 03]\].

All programs, in particular particularly those running with higher privileges than the caller (such as those with setuid/setgid flags), should treat their environment as untrusted user input. Because the environment is inherited by processes spawned by calls to the fork(), system(), or exec() functions, it is important to verify that the environment does not contain any values that can lead to unexpected behavior.

...

C99 states that, "the set of environment names and the method for altering the environment list are implementation-defined." It Therefore, it is consequently important to understand what local functions are available for clearing, modifying, and looking up default values for environment variables. Because some programs may behave in unexpected ways when certain environment variables are not set, it is important to understand which variables are necessary on your system and what are safe values for them.

The nonstandard function clearenv() function (which is not defined by either C99 or POSIX) may be used to clear out the environment where available, : otherwise it can be cleared by obtaining the environment variable names from environ and removing each one using unsetenv().

Wiki Markup
POSIX also specifies the {{confstr()}} function which, can then be used to look up default values for environment variables \[[Open Group 04|AA. C References#Open Group 04]\]. POSIX.1-2008 defines a new {{\_CS_V7_ENV}} argument to {{confstr()}} to retrieve a list of environment variable settings required for a default conforming environment \[[Austin Group 08|AA. C References#Austin Group 08]\]. A space-separated list of variable = value pairs is returned, with variable names guaranteed not to contain equal signs (=), and variable = value pairs guaranteed not to contain spaces. Used together with the {{\_CS_PATH}} request illustrated above, this completely describes the minimum environment variable settings required to obtain a clean, conforming environment. On systems conforming to the POSIX.1-2008 standard, this should be used to create a sanitized environment.

Wiki Markup
If it is explicitly known which environment variables need to be kept, \[[Viega 03|AA. C References#Viega 03]\] defines a function, {{spc_sanitize_environment()}}, whichthat will remove everything else.

...

In this compliant solution, the environment is cleared by clearenv(), and then the PATH and IFS variables are set to safe values before invoking system(). Sanitizing a shell command can be difficult and doing so can adversely affect the power and flexibility associated with them.

...

Wiki Markup
\[[Austin Group 08|AA. C References#Austin Group 08]\] volVol. 2, System Interfaces, {{confstr()}}
\[[CA-1995-14|http://www.cert.org/advisories/CA-1995-14.html]\] "Telnetd Environment Vulnerability"
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 10, "UNIX II: Processes"
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XYS Executing or Loading Untrusted Code"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 426|http://cwe.mitre.org/data/definitions/426.html], "Untrusted Search Path," [CWE ID 88|http://cwe.mitre.org/data/definitions/88.html], "Argument Injection or Modification," and [CWE ID 78|http://cwe.mitre.org/data/definitions/78.html], "Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')"
\[[Open Group 04|AA. C References#Open Group 04]\] Chapter 8, "Environment Variables", and [{{confstr()}}|http://www.opengroup.org/onlinepubs/009695399/functions/confstr.html]
\[[Viega 03|AA. C References#Viega 03]\] Section 1.1, "Sanitizing the Environment"
\[[Wheeler 03|AA. C References#Wheeler 03]\] [Section 5.2, "Environment Variables"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/environment-variables.html]

...